Enterprise clients currently can hook into full SSO authority however standard users who are authenticated against the database using raw .net Authentication currently are only measured on the database password.
This update will add Two Factor Authentication for standard database users.
- For now the configuration to enable it will be in the web.config (at a system level)
- At launch we will offer two methods
a. Google Authenticator - Google Authenticator
b. Email - The code generator should be stand-alone so we can add additional methods later (such as SMS)
- We will embed the signup and workflow into the login process so it is a seamless and self-describing process
To facilitate this we will need to:
-
Create a unique code generator based on the TOTP reference standards
a. Each code is locked to the .net auth userid {guid}
b. the “secret key” for each user will be the {guid}
c. Each code will expire within 30 seconds
d. Each code will auto cycle on a 30 second timer -
A series of pages so a user can connect the Google Authenticator
a. Add a device
i. Allow for a name and a description
ii. Generate connector key for manual linking
iii. Generate a QR for camera linking
b. Remove a device -
Email 2FAC will be locked to the users main email address
a. The time out on email auth codes will be 5 minutes to allow for email lag -
Store configurations and settings in the user data
-
Update the login workflow if MFA is set as mandatory
There are some potential nuget libraries that offer TOTP and QR code generation that I will investigate
https://www.nuget.org/packages/Otp.NET/
There are also a few other app options such as Authy which is becoming quite popular which I will also look into as a possible 3rd option. Authy